Domain 1: Security and Risk Management

Question 1

Confidentiality

Answer 1

Seeks to prevent the unauthorized disclosure of information: it keeps data secret.

Question 2

Integrity

Answer 2

Seeks to prevent unauthorized modification of information. In other words, seeks to prevent unauthorized write access.

Question 3

Availability

Answer 3

Ensures that information is available when needed.

Question 4

Subject

Answer 4

An active entity on an information system.

Question 5

Object

Answer 5

A passive data file.

Question 6

Annualized Loss Expectancy

Answer 6

The cost of loss due to a risk over a year.

Question 7

Threat

Answer 7

A potentially negative occurrence.

Question 8

Vulnerability

Answer 8

A weakness in a system.

Question 9

Risk

Answer 9

A matched threat and vulnerability.

Question 10

Safeguard

Answer 10

A measure taken to reduce risk.

Question 11

Total Cost of Ownership

Answer 11

The cost of a safeguard.

Question 12

Return on Investment

Answer 12

Money saved by deploying a safeguard.

Question 13

Disclosure, alteration and destruction (DAD)

Answer 13

Opposite of CIA.

Question 14

2 types of integrity?

Answer 14

Data integrity and system integrity

Question 15

Data integrity

Answer 15

Seeks to prevent unauthorized modification of information.

Question 16

System integrity

Answer 16

Seeks to prevent unauthorized modification of a system.

Question 17

Disclosure

Answer 17

Unauthorized release of information.

Question 18

Alteration

Answer 18

Unauthorized modification of data.

Question 19

Destruction

Answer 19

Making systems or data unavailable.

Question 20

AAA

Answer 20

Authentication, Authorization and Accountability

Question 21

Identity

Answer 21

A claim of who you are. By itself it is weak because there is no proof.

Question 22

Authentication

Answer 22

Proving an identity claim.

Question 23

Authorization

Answer 23

Describes the actions you can perform on a system once you have been identified and authenticated.

Question 24

Accountability

Answer 24

Holds users responsible for their actions.

Question 25

Non-repudiation

Answer 25

Means a user cannot deny having performed a transaction.

Question 26

Non-repudiation

Answer 26

Combines authentication and integrity. Both of these are required before you can have this.

Question 27

Least privilege

Answer 27

Means users should be granted the minimum amount of access required to do their jobs.

Question 28

Need to know

Answer 28

More granular than least privilege: the user must need to know that specific piece of information before accessing it.

Question 29

Examples of subjects

Answer 29

User or computer program.

Question 30

Examples of objects

Answer 30

Documents, database tables, text files, executable file for a computer program, etc.

Question 31

Defense-in-depth

Answer 31

Applies multiple safeguards (or controls) to protect an asset.

Question 32

Due care

Answer 32

doing what a reasonable person would do.

Question 33

Due diligence

Answer 33

The management of du care.

Question 34

Due care and due diligence are often confused. Think of due diligence as a step beyond due care. Due care is informal, due diligence follows a process.

Answer 34

n/a

Question 35

Example of due care

Answer 35

Expecting your staff to patch their systems.

Question 36

Example of due diligence

Answer 36

Verifying that your staff has patched their systems.

Question 37

Gross negligence

Answer 37

Opposite of due care.

Question 38

Three major systems of law.

Answer 38

Civil, common, and religious.

Question 39

Civil law

Answer 39

Type of law that is employed by many countries throughout the world.

Question 40

Primary difference between civil law and common law

Answer 40

In civil law judicial precedents and particular case rulings do not carry the weight they do under common law.

Question 41

Common law

Answer 41

The legal system used in the US, Canada, UK and most former British colonies.

Question 42

Religious law

Answer 42

Religious doctrine or interpretation which servers as a source of legal understanding and statutes.

Question 43

Sharia

Answer 43

Term used for Islamic law - uses Qur’an and Hadith as its foundation.

Question 44

Customary law

Answer 44

Refers to those customs or practices that are so commonly accepted by a group that the custom is treated as a law.

Question 45

The concept of “best practices” is closely associated with Customary law.

Answer 45

n/a

Question 46

3 branches of common law

Answer 46

Criminal, Civil and Administrative

Question 47

Criminal Law

Answer 47

Pertains to those laws where the victim can be seen as society itself. Primary focus is punishment and deterrence.

Question 48

Goal of criminal law

Answer 48

To promote and maintain an orderly and law abiding citizenry.

Question 49

Civil Law (as a branch of common law)

Answer 49

Pertains to cases where the victim is an individual, group or organization. Primary focus is compensation for the victim rather than punishment and deterrence.

Question 50

Types of financial damages

Answer 50

Statutory, Compensatory and Punitive

Question 51

Statutory damages

Answer 51

Those prescribed by law, which can be awarded to the victim even if the victim incurred no actual loss or injury.

Question 52

Compensatory damages

Answer 52

Purpose is to provide the victim with a financial award in effort to compensate for the loss or injury incurrred as a direct result of the wrongdoing.

Question 53

Punitive damages

Answer 53

Purpose is to punish an individual or organization. These damages are typically awarded to attempt to discourage a particularly egregious violation where the compensatory or statutory damages alone would not act as a deterrent.

Question 54

Administrative law (regulatory law)

Answer 54

Law enacted by government agencies.

Question 55

Examples of administrative law

Answer 55

FCC regulations, HIPAA Security mandates, FDA regulations and FAA regulations.

Question 56

Prudent man rule

Answer 56

Another name for due care.

Question 57

Types of evidence

Answer 57

Real, Direct, Circumstantial, Corroborative and Hearsay

Question 58

Real Evidence

Answer 58

Consists of tangible or physical objects.

Question 59

Examples of real evidence

Answer 59

Hard drives, DVDs, USB drives or printed business records.

Question 60

Direct Evidence

Answer 60

Testimony provided by a witness regarding what the witness actually experienced with his/her five senses.

Question 61

Circumstantial Evidence

Answer 61

Serves to establish the circumstances related to particular points or even other evidence.

Question 62

Example showing difference between direct and circumstantial evidence

Answer 62

If a witness testifies that she saw the defendant create and distribute malware this would be direct evidence. If forensics of the defendant’s computer revealed the existence of source code for malware, this would constitute circumstantial evidence.

Question 63

Corroborative Evidence

Answer 63

Provides additional support for a fact that might have been called in to question. This does not establish a particular fact on its own.

Question 64

Hearsay

Answer 64

Second-hand evidence. Generally considered inadmissible in court.

Question 65

Business and computer generated records are generally considered hearsay evidence, but case law and updates to the Federal rules of evidence have established exceptions to this.

Answer 65

n/a

Question 66

Five desirable criteria for evidence.

Answer 66

Relevant, authentic, accurate, complete and convincing

Question 67

Best evidence rule

Answer 67

courts prefer the best evidence possible - original documents preferred over copies, conclusive tangible objects preferred over oral testimony. Recall the five desirable criteria for evidence.

Question 68

Secondary evidence

Answer 68

Class of evidence common in cases involving computers. Consists of copies of original documents and oral descriptions.

Question 69

Rule 1001 of the US Federal Rules of Evidence

Answer 69

Can allow for readable reports of data contained on a computer to be considered original as opposed to secondary evidence.

Question 70

Fourth amendment

Answer 70

Protects citizens from unreasonable search and seizure by the government.

Question 71

Exception to requirement for search warrant in computer crimes.

Answer 71

Exigent circumstances in which there is an immediate threat to human life or evidence being destroyed.

Question 72

Search warrants only apply to law enforcement and those who are acting under the color of law enforcement.

Answer 72

n/a

Question 73

If private citizens carry out actions or investigations on behalf of law enforcement these individuals are acting under the color of law and can be considered agents of law enforcement.

Answer 73

n/a

Question 74

Entrapment

Answer 74

When law enforcement, or an agent of law enforcement, persuades someone to commit a crime when the person otherwise had no intention to commit a crime.

Question 75

Enticement

Answer 75

Differs from entrapment in that the person is determined to have already broken a law or is intent on doing so.

Question 76

3 categories for computer crimes

Answer 76

Computer systems as targets
Computer systems as a tool to perpetrate the crime
Computer systems involved but incidental

Question 77

Intellectual property

Answer 77

Refers to intangible property that resulted from a creative act.

Question 78

Trademarks (TM or ®)

Answer 78

Purpose is to allow for the creation of a brand that distinguishes the source of products or services.

Question 79

Servicemarks (SM)

Answer 79

Constitute a subset of brand recognition related intellectual property.

Question 80

Patents

Answer 80

Provide a monopoly to the holder on the right to use, make, or sell an invention for a period of time in exchange for the holder’s making the invention public.

Question 81

Typical length of a patent in US and Europe?

Answer 81

20 years

Question 82

Copyright (©)

Answer 82

Represents a type of intellectual property that protects the form of expression in artistic, musical, or literary works.

Question 83

Typical length of a copyright in US

Answer 83

70 years after the death of the author.
If the work is a product of a corporation then the term lasts for 95 years after the first publication or 120 years after creation, whichever comes first.

Question 84

First sale doctrine

Answer 84

Allows a legitimate purchaser of a copyrighted material to sell it to another person.

Question 85

Fair use doctrine

Answer 85

Allows someone to duplicate copyrighted material without requiring the payment, consent, or even knowledge of the copyright holder.

Question 86

Software licenses

Answer 86

Agreement between provider of software and the consumer.

Question 87

Trade secrets

Answer 87

Business-proprietary information that is important to an organization’s ability to compete.

Question 88

Well known intellectual property attacks

Answer 88

Software piracy and copyright infringement.

Question 89

Trademark dilution

Answer 89

Represents an unintentional attack in which the trademarked brand name is used to refer to the larger general class of products of which the brand is a specific instance. Example: Using Kleenex to refer to all facial tissue regardless of brand

Question 90

Cybersquatting

Answer 90

Refers to an individual or organization registering or using, in bad faith, a domain name that is associated with another person’s trademark.

Question 91

Typosquatting

Answer 91

Refers to a specific type of cybersquatting in which the cybersquatter registers likely misspellings or mistyping of legitimate domain trademarks.

Question 92

Privacy

Answer 92

The protection of the confidentiality of personal information.

Question 93

EU Data Protection Directive

Answer 93

Allows for the free flow of information while still maintaining consistent protections of each member nation’s citizens’ data.

Question 94

Principles of EU Data Protection Directive

Answer 94

• Notifying individuals how their personal data is collected and used.
• Allowing individuals to opt out of sharing their personal data with third parties.
• Requiring individuals to opt into sharing the most sensitive personal data.
• Providing reasonable protections for personal data.

Question 95

Organization for Economic Cooperation and Development (OECD)

Answer 95

• Though often considered excusively European, consists of 30 member nations from around the world.
• Provides a forum in which countries can focus on issues that impact the global economy.

Question 96

OECD Guidelines on the protection of Privacy and Transborder Flows of Personal Data

Answer 96

Issues in 1980, sought to provide a basic framework for the protections that should be afforded personal data as it traverses the various world economies.

Question 97

Eight driving principles regarding the privacy of personal data.

Answer 97

• Collection Limitation Principle
• Data Quality Principle
• Purpose Specification Principle
• Use Limitation Principle
• Security Safeguards Principle
• Openness Principle
• Individual Participation Principle
• Accountability Principle

Question 98

Collection Limitation Principle

Answer 98

Personal data collection should have limits, be obtained in a lawful manner, and, unless there is a compelling reason to the contrary, with the individual’s knowledge and approval.

Question 99

Data Quality Principle

Answer 99

Personal data should be complete, accurate, and maintained in a fashion consistent with the purposes for the data collection.

Question 100

Purpose Specification Principle

Answer 100

The purpose for the data collection should be known, and the subsequent use of the data should be limited to the purposes outlined at the time of collection.

Question 101

Use Limitation Principle

Answer 101

Personal data should never be disclosed without either the consent of the individual or as the result of a legal requirement.

Question 102

Security Safeguards Principle

Answer 102

Personal data should be reasonably protected against unauthorized use, disclosure, or alteration.

Question 103

Openness Principle

Answer 103

The general policy concerning collection and use of personal data should be readily available.

Question 104

Individual Participation Principle

Answer 104

Individuals should be:

• Able to find out if an entity holds any of their personal data.
• Made aware of any personal data being held.
• Given a reason for any denials to account for personal data being held, and a process for challenging any denials
• Able to challenge the content of any personal data being held, and have a process for updating their personal data if found to be inaccurate or incomplete.

Question 105

Accountability Principle

Answer 105

The entity using the personal data should be accountable for adhering to the principles above.

Question 106

EU Data Protection Directive states that personal data of EU citizens may not be transmitted, even when permitted by the individual, to countries outside of the EU unless the receiving country is perceived by the EU to adequately protect their data.

Answer 106

EU-US Safe Harbor was created because of this, to account for the US having less stringent privacy protections.

Question 107

EU-US Safe Harbor

Answer 107

Framework that will give US based organizations the benefit of authorized data sharing with the EU.

Question 108

Privacy Act of 1974

Answer 108

Created to codify protection of US citizens’ data that is being used by the federal government.

Question 109

Council of Europe Convention on Cybercrime

Answer 109

Most significant progress toward international cooperation in computer crime policy. Focused on establishing standards in cybercrime policy to promote international cooperation during the investigation and prosecution of cybercrime. Signed by the 47 European members as well as US.

Question 110

Coordinating Committee for Multilateral Export Controls (CoCom)

Answer 110

During the Cold War, this was a multinational agreement to not export certain technologies, which included encryption, to many communist countries.

Question 111

Wassenaar Agreement

Answer 111

Post Cold War standard for export controls. Still included significant restrictions on the export of cryptographic algorithms and technologies to countries not included in the agreement.